Blogger: Richard Watson
I spent part of last week speaking to European clients about cloud and SaaS. There's a real thirst here for a conversation about the challenges and risks of cloud and SaaS, free from hype and hysteria. The architects and executives I spoke to are already fatigued with "SaaS and cloud being pushed non-stop by vendors and analysts" (sic).
One universal concern about hosting data in external clouds is data privacy. Heretofore, concerns of EU companies included the fact that storing personal data in "third countries" violated the EU's Data Protection Act. Of far more of concern now is that local data regulations in the provider's jurisdiction (especially the US Patriot Act), could be prioritized over international Safe Harbor arrangements designed to broker the local and guest privacy regulations.
I think these fears are justified and the recent clarification by the European Commission in its "Frequently asked questions relating to transfers of personal data from the EU/EEA to third countries" does little to allay that substantive fear. The EU confirmation does indeed clarify which "third countries" have adequate standards to comply with the EU Data Protection Act, thus opening the door for EU data to be stored in (you won't need two hands to count them) the US (with Safe Harbor), Switzerland, Canada, Argentina, Jersey, Guernsey and the Isle of Man. US companies that have signed safe harbor agreements (including Amazon, Google, Microsoft, and IBM) are bound to comply with European data protection standards, but the relative prioritization with the Patriot Act has never been explicitly tested in court. Therein lies the problem. Could you risk your customers' data as the test case?
This interesting study by Galexia challenges the effectiveness of the compromise of Safe Harbor agreement.
A further grey area that was raised at our cloud sessions was whether "strategic US business interests" might also be prioritized over Safe Harbor agreements. I pointed out that an even more concrete concern should be accidental data leakage and inappropriate use through either carelessness or malpractice of providers' employees, not to mention poor isolation practices. These issues are well-documented in Eric Maiwald's (subscriber only) "Considerations for Risk Management When Choosing Software as a Service".
The Cybersecurity Act of 2009 recently introduced in the US Senate gives European consumers more reasons to think twice before jumping into (especially private) cloud agreements with US based providers. The measures in the Cybersecurity Act are at the same time potentially wide-reaching and vague, but include giving the US President a lot of power over the security of the Internet.
Despite the recent EU clarification, data privacy raises key questions for European cloud adopters. How are the clouds looking over Canada ... or Switzerland?